Home
Products
Red Hat Certificate System
9
Planning, Installation, and Deployment Guide
10.7. Converting Masters and Clones

10.7. Converting Masters and Clones

Only one single active CA generating CRLs can exist within the same topology. Similarly, only one OCSP receiving CRLs can exist within the same topology. As such, there can be any number of clones, but there can only be a single configured master for CA and OCSP.

For KRAs and TKSs, there is no configuration difference between masters and clones, but CAs and OCSPs do have some configuration differences. This means that when a master is taken offline — because of a failure or for maintenance or to change the function of the subsystem in the PKI — then the existing master must be reconfigured to be a clone, and one of the clones promoted to be the master.

10.7.1. Converting CA Clones and Masters

Stop the master CA if it is still running.
Open the existing master CA configuration directory:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
cd /var/lib/pki/instance_name/ca/conf
```
```
# cd /var/lib/pki/instance_name/ca/conf
```
Edit the CS.cfg file for the master, and change the CRL and maintenance thread settings so that it is set as a clone:
- Disable control of the database maintenance thread:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.certStatusUpdateInterval=0
```
```
ca.certStatusUpdateInterval=0
```
- Disable monitoring database replication changes:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.listenToCloneModifications=false
```
```
ca.listenToCloneModifications=false
```
- Disable maintenance of the CRL cache:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.crl.IssuingPointId.enableCRLCache=false
```
```
ca.crl.IssuingPointId.enableCRLCache=false
```
- Disable CRL generation:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.crl.IssuingPointId.enableCRLUpdates=false
```
```
ca.crl.IssuingPointId.enableCRLUpdates=false
```
- Set the CA to redirect CRL requests to the new master:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
master.ca.agent.host=new_master_hostname
master.ca.agent.port=new_master_port
```
```
master.ca.agent.host=new_master_hostname
master.ca.agent.port=new_master_port
```

Stop the cloned CA server.

Copy to Clipboard Toggle word wrap

systemctl stop pki-tomcatd@instance_name.service

# systemctl stop pki-tomcatd@instance_name.service

Open the cloned CA's configuration directory.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
cd /etc/instance_name
```
```
# cd /etc/instance_name
```
Edit the CS.cfg file to configure the clone as the new master.
1. Delete each line which begins with the ca.crl. prefix.
2. Copy each line beginning with the ca.crl. prefix from the former master CA CS.cfg file into the cloned CA's CS.cfg file.
3. Enable control of the database maintenance thread; the default value for a master CA is 600.
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.certStatusUpdateInterval=600
```
```
ca.certStatusUpdateInterval=600
```
4. Enable monitoring database replication:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.listenToCloneModifications=true
```
```
ca.listenToCloneModifications=true
```
5. Enable maintenance of the CRL cache:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.crl.IssuingPointId.enableCRLCache=true
```
```
ca.crl.IssuingPointId.enableCRLCache=true
```
6. Enable CRL generation:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ca.crl.IssuingPointId.enableCRLUpdates=true
```
```
ca.crl.IssuingPointId.enableCRLUpdates=true
```
7. Disable the redirect settings for CRL generation requests:
  Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
master.ca.agent.host=hostname
master.ca.agent.port=port number
```
```
master.ca.agent.host=hostname
master.ca.agent.port=port number
```

Start the new master CA server.

Copy to Clipboard Toggle word wrap

systemctl start pki-tomcatd@instance_name.service

# systemctl start pki-tomcatd@instance_name.service

10.7.2. Converting OCSP Clones

Stop the OCSP master, if it is still running.
Open the existing master OCSP configuration directory.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
cd /etc/instance_name
```
```
# cd /etc/instance_name
```
Edit the CS.cfg, and reset the OCSP.Responder.store.defStore.refreshInSec parameter to 21600:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
OCSP.Responder.store.defStore.refreshInSec=21600
```
```
OCSP.Responder.store.defStore.refreshInSec=21600
```

Stop the online cloned OCSP server.

Copy to Clipboard Toggle word wrap

systemctl stop pki-tomcatd@instance_name.service

# systemctl stop pki-tomcatd@instance_name.service

Open the cloned OCSP responder's configuration directory.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
cd /etc/instance_name
```
```
# cd /etc/instance_name
```
Open the CS.cfg file, and delete the OCSP.Responder.store.defStore.refreshInSec parameter or change its value to any non-zero number:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
OCSP.Responder.store.defStore.refreshInSec=15000
```
```
OCSP.Responder.store.defStore.refreshInSec=15000
```

Start the new master OCSP responder server.

Copy to Clipboard Toggle word wrap

systemctl start pki-tomcatd@instance_name.service

# systemctl start pki-tomcatd@instance_name.service

10.7. Converting Masters and Clones

10.7.1. Converting CA Clones and Masters

10.7.2. Converting OCSP Clones

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links